November 12, 2008
SAFEGUARDING PERSONAL INFORMATION
By: Daniel Duffy, Principal Analyst
You asked why the legislature exempted state agencies and political subdivisions from the duty to safeguard personal information established by PA 08-167.
An Act Concerning the Confidentiality of Social Security Numbers (PA 08-167, HB 5658) was one of several bills concerned with personal identifying information considered by the legislature in 2008. It (1) requires anyone possessing personal information about another person to safeguard it and the computer files and documents containing it and (2) defines “personal information” as information that can be associated with an individual through an identifier like a Social Security number. It exempts state agencies and political subdivisions from the duty to safeguard personal information.
We did not find any statement in the public record explaining why state agencies and municipalities were exempted from the duty to safeguard personal information. We examined the public hearing transcript for SB 30 and the legislative session transcripts for both SB 30 and HB 5658.
As originally drafted, HB 5658 would have prohibited anyone, other than the state or its political subdivisions, from requiring an individual to provide his or her Social Security number as a condition of leasing, purchasing, or receiving products, goods or services, with certain exceptions. The House of Representatives replaced the text of the bill with a related provision taken from a much larger bill, An Act Concerning Consumer Privacy and Identity Theft (SB 30). The bill was proposed by the governor and was the product of a task force that included the commissioners of the Departments of Consumer Protection, Information and Technology, and Public Safety. The exemption provision you asked about was a part of the governor's bill as originally proposed. The General Law Committee favorably reported SB 30, the Senate passed it, but it died on the House calendar at the end of the legislative session.
AN ACT CONCERNING THE CONFIDENTIALITY OF SOCIAL SECURITY NUMBERS (PA 08-167)
The act requires anyone in possession of personal information about another person to safeguard the data and computer files and documents containing it from misuse by third parties and to destroy, erase, or make unreadable any document, computer file, or data before disposing of it. For this purpose, “personal information” means information capable of being associated with a particular individual through one or more identifiers, such as a Social Security number, driver's license number, state identification card number, account number, credit or debit card number, passport number, alien registration number, or health insurance identification number. It does not include publicly available information lawfully made available from federal, state, or local government records or widely distributed media.
The act requires anyone that collects Social Security numbers in the course of business to create a privacy protection policy that must be published or publicly displayed, which includes posting it on an Internet web page. The policy must ensure confidentiality of Social Security numbers, prohibit their unlawful disclosure, and limit access to them.
For persons and entities that hold a state license, registration, or certificate issued by a state agency other than the Department of Consumer Protection, the act provides that its provisions restricting the dissemination of Social Security numbers and on safeguarding personal information are enforceable by the agency that issued the credential using its existing statutory and regulatory authority.
The act exempts state agencies and political subdivisions from the duty to safeguard personal information.
It subjects violators to a civil penalty of $500 for each violation, up to a maximum of $500,000 per event. It provides that a violation is not a violation if it is unintentional. Civil penalties must be deposited into the Privacy Protection Guaranty and Enforcement Account. (Because legislation establishing the account was not enacted, penalties will presumably be deposited into the General Fund.)
The law, prior to the passage of PA 08-167, already prohibited individuals and businesses from publicly disclosing Social Security numbers. The prohibition does not prevent the numbers from being (1) collected, used, or released as required by state or federal law or (2) used for internal verification or administrative purposes (CGS § 42-470). Like PA 08-167, the law exempts state agencies and municipalities.
The law also prohibits:
1. intentionally communicating or otherwise making available to the general public an individual's Social Security number;
2. printing anyone's Social Security number on a card that the person or entity must use to access the person or entity's products or services;
3. requiring anyone to transmit his or her Social Security number over the Internet, unless the connection is secure or the number is encrypted; or
4. requiring anyone to use his or her Social Security number to access an Internet web site, unless a password or unique personal identification number or other authentication is also required to access it.